Yesterday I was browsing my friend's stories in Instagram and I saw an interesting ad from Adidas. I decided to follow the link.

The in-app Instagram web browser took me to a fabulous Adidas webpage showing an amazing 80% off in lots of products. I found several products I'd like to buy, because it was an amazing deal!

Decided to start shopping, I went to my computer and entered the Adidas website (searching it in Google). For my surprise there was no promotion at all. Back on my phone I opened the url in Chrome instead on Instagram. Chrome showed a red warning sign saying I was entering a dubious website and that I was likely going to be victim of scam.

I was thrilled to see this. Leaving egos aside, and as a software engineer, I found myself several times realizing of cheap scams/phishing attacks. But this one took me by surprise.

There were some hints that arose distrust on myself, but I didn't paid attention. My goal in this blog post is share this hints in the hope that others will learn about this sophisticated scams. Why sophisticated? Well, the criminals behind this phishing attack were hosting an actual ad campaign in Instagram. What's worst, Instagram didn't paid attention about the fake Adidas ad and posted it without verifying that the brand was used to redirect users to a fraudulent website.

Hint no 1: Check the web domain
Usually big brands own their own name in the web. So, Adidas is expected to have an official store like www.adidas.com. Now, check below the domain of the screenshot I took from my phone (the domain is the 'words' that start with 'www.' and end with '.com'). See that the domain contains a "-yeezyboost" at the end.

If you ever notice the website of a big brand using a dubious web domain, then that's a bad sign.

Hint no 2: Pay attention to the detail
Usually attackers don't invest much time on preparing a full working fake website, or sometimes make mistakes on the finishing of the website. In the following screenshots you will see that the floating text scapes the top bar, that is not well located and it just feels bad looking.

Also check for grammar or spelling mistakes, such as in the following example. This is something a professional brand like Adidas will never do -- show a bad image by publishing content unprofessionally.

'We' should have been capitalized both times

Hint no 3: be a bit skeptical
If it is too good to be true, maybe it is not true at all!

Extra protection
Well, anyone can overlook this hints and still try to interact with the malicious website, and the bad guys may be able to get something from us (credit card info, personal info, infect our computers). But fortunately there are other ways to protect ourselves, even for the careless and negligent users.

Use a safe web browser! Chrome and Firefox immediately warned me about the phishing attack. But Safari didn't. Safari allowed me to browse the website, create an account, even populate the shopping cart and go all the way.

Firefox alerting about the malicious website.

Note: to give some credit back, by the end of day (~6 hours later) I checked again and Safari is showing a warning stating the website is malicious.

Additionally, and for my surprise, I shared with myself the dubious URL via email, sending an email to myself (within my Gmail account). This is what happened:

Friday, August 4, 2017

Last week along with two Engineers and an University Specialist we visited my home country on a business trip. We spent a full week in Argentina doing “University Outreach”. This means that we went to a couple of universities to give tech talks about what we do on our engineering roles, how we work and what are some of the hardest problems we tackle. Also we promoted our internships for students and positions for new grads as well as experienced engineers.

"Youtube Deep Dive" at ITBA

Additionally, we hosted a set of ‘special talks’.

Firstly we gave a tech+recruiting talk at ECI (ECI is a set of one-week intensive classes that students from all around Argentina attend). The speaker was a former teacher of mine that now is working in Google Germany. She talked about the custom made linux distribution we use in Google for software development. Follow this link to learn about the talk.

"Linux at Google Scale" at ECI

Secondly, we gave a talk title “Interviewing Essentials @ Google” hosted in our Buenos Aires office. I was the speaker in this one. I talked about how to build a resume, what to study, how to prepare for interviews, and we did a mock interview sessions to practice problem solving. We had the pleasure to count on former interns to help us deal with the big group of attendants.

"Interviewing Essentials" at Google Buenos Aires

Finally, we hosted our classic ‘Google Games’. On this one-afternoon competition we invited students to solve problems in teams. It was a 3 hour event where 7 teams competed to win prizes (I wish I could go back time and participate in Google Games, because I never heard of them until I was hired).

Part of the team with the former interns

Overall I think it was a really rewarding experience. Of course it was out of what I do day-to-day at my desk in Google NYC. But looking back, it is challenging to try new things, to speak in public and share a bit of what you work on, and to give support to students. I am not going to lie here, some nights we slept few hours (cough cough 5), but it was well invested time. Some nights students didn’t want to leave and instead ask a bunch of questions, staying one hour and a half of the supposed end time! 😄

What is the bonus content? Of course going home to visit family and old friends, eating your favourite food, and visit the love of your life (my dachshund who resides in Argentina).

Fabricio PH

About Me

Optimistic, analytical, proactive, flexible, results-oriented, with very good handling of interpersonal relationships, strong dedication to teamwork, as well as great interest in learning, teaching and the Social Good.

Willing to do an MBA in the upcoming years and gain experience in management.